The CMMC requirements have just started to roll out. As this time, there are a lot more questions being asked rather than Contractors and Subcontractors being CMMC certified. At the present time, the bulk of the Defense Industrial Base is most concerned about meeting the Maturity Level 1 compliance, and the process to achieve that level of compliance is still rather murky.

The goal of this article is to answer some of the more frequently asked questions about the CMMC.

The Questions & The Answers

1. What is the difference between Attesting and Accreditation?

Under the NIST SP 800-171, Defense Contractors (as well as their Subcontractors) had the prime benefit of being able to self-attest their compliance with regards to the deployment and implementation of the controls that were required. In other words, all that was needed was the submission of paperwork claiming this fact, without any third-party oversight to make sure that this is indeed the case. But with the CMMC, this is no longer true. Each entity in the Defense Industrial Base must now prove that not only have they been assessed by an approved third-party organization, but also that both the necessary and right set of controls are in place to protect both the CUI and FCI datasets. With this, the Defense Contractor can now achieve their Certification for the Maturity Level that they need to achieve. This process can be viewed as “Accreditation”. In fact, it is the CMMC Accreditation Body (CMMC-AB) which oversees all of this and has complete authority over the Certified Third-Party Assessment Organizations (C3PAOs). These are the assessors that determine if a Defense Contractor has indeed passed their audit and can achieve certification.

2. How do I prove to a CMMC Auditor that I am implementing security?

The best way to show an auditor that compliance is met is to prove to them that you have put in motion all of the controls required to meet the security requirements for each Maturity Level. As previously mentioned, everybody now has their focus on Maturity Level 1. There are 17 different areas in which controls must be implemented, and the major categories for them are as follows:

  • Access Control (AC)
  • Identification and Authentication (IA)
  • Media Protection (MP)
  • Physical Protection (PP)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Furthermore, if you can demonstrate to the CMMC Auditor that all of these 17 controls have been tested and are working at optimal conditions, this will also put you on a quicker path to get certified at this Maturity Level.

3. What is the Christian Doctrine and why should I be concerned about it

The legal definition of it is as follows:

“It provides that a mandatory statute or regulation that expresses a significant or deeply ingrained strand of public procurement policy shall be read into a federal contract by operation of law, even if the clause is not in the contract.”

(SOURCE: 1).

Simply put, it means that if a provision or clause is not explicitly stated in a DoD contract, it can still be inferred by the objectives and purpose of the contract and be enforced by a court of law. As it relates to the CMMC, a good example of this is as follows: suppose Company XYZ has just signed a contract with the DoD, after they have been certified at a particular Maturity Level. This contract will explicitly state what the specific CUI and FCI datasets are, for the purposes of fulfilling the terms of it. But also keep in mind that any existing datasets that your company already has in its databases (prior to signing the contract) and that will be used to complete the job will also be subject to being protected by the same set of controls that will be used for the CUI and FCI datasets, although this has not been explicitly spelled out in the contract.

So, as a Defense Contractor, you really need to be concerned about this, because given the newness of the CMMC process, there can be many clauses or provisions that can still be inferred (and can even be enforced by a court of law) even though they are not clearly stated in the DoD contract. In this regard, the best line of defense is to confirm any missing clauses with the Contractual Officer that you are working with at the DoD. Some typical examples of inferred clauses/provisions include the following:

  • Any transactional disputes
  • Termination of employees
  • How changes or amendments should be made to an existing DoD contract
  • Equal Opportunity and Affirmative Action for employees

4. What is the False Claims Act and should I be concerned about it?

Also known as the “FCA” or the “Lincoln Law”, this is a federal law that clearly stipulates that any individual or entity that willfully and purposefully defrauds the United States Federal Government can face serious penal or even financial penalties (or even both). This law is typically geared towards the Defense Contractors that conduct work with the DoD, even before the CMMC became a reality. But now that this has come into fruition, these entities need to pay careful attention to the FCA. For example, apart from being strictly enforced now by the DoD, a Defense Contractor can face not only the previously mentioned penalties, but they could also have their existing contract immediately terminated and have their Maturity Level stripped from them.

Conclusions

Overall, this article has examined some of the top questions that are being asked about the CMMC today. If you have any other questions or need more help, please contact us today.

Sources